fix(deps): vuln patch: brace-expansion, flatted, picomatch

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 3 packages upgraded (patch changes only)

Manifests changed:

• . (yarn)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
picomatch	4.0.3	4.0.4	patch	Transitive	2 HIGH, 2 MEDIUM
flatted	3.4.1	3.4.2	patch	Transitive	2 HIGH
brace-expansion	5.0.4	5.0.6	patch	Transitive	3 MEDIUM

---

Security Details

🚨 Critical & High Severity (4 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
flatted	GHSA-rf6f-7fwh-wjgh	HIGH	Prototype Pollution via parse() in NodeJS flatted	3.4.1	3.4.2
flatted	CVE-2026-33228	HIGH	flatted: Prototype Pollution via parse()	3.4.1	-
picomatch	GHSA-c2c7-rcm5-vvqj	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	4.0.3	4.0.4
picomatch	CVE-2026-33671	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	4.0.3	-

ℹ️ Other Vulnerabilities (5)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
brace-expansion	GHSA-f886-m6hf-6m8v	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	5.0.4	5.0.5
brace-expansion	CVE-2026-33750	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	5.0.4	-
brace-expansion	GHSA-jxxr-4gwj-5jf2	MODERATE	brace-expansion: Large numeric range defeats documented max DoS protection	5.0.4	5.0.6
picomatch	GHSA-3v7f-55p6-f55p	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	4.0.3	4.0.4
picomatch	CVE-2026-33672	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	4.0.3	-

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[github-actions]

Overall package size

Self size: 28 MB
Deduped: 28 MB
No deduping: 28 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------|

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[dd-prapprover]

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

• ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-06-16T14:00:42Z
• ✅ CI tests passed - 2026-06-16T14:00:48Z
• ✅ Approved (commit: f1364a8) - 2026-06-16T14:00:52Z
• ✅ Merge Started
• ⬜ Merged

➡️ Current phase: merge in progress...

[dd-prapprover]

This PR has been automatically approved by the DD PR Approver bot.

[campaigner-prod]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-06-16 19:34:34 UTC ℹ️ Start processing command /merge
Use /merge -c to cancel this operation!

---

2026-06-16 19:34:38 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 0s (p90).

Use /merge -c to cancel this operation!

---

2026-06-16 21:29:40 UTC ℹ️ MergeQueue: Readding this merge request to the queue because another merge request processed with yours failed. No action is needed from your side.
Use /merge -c to cancel this operation!

---

⏳ Processing